有条件的访问:通过MFA发生的意外浏览器访问 [英] Conditional Access: Browser access via MFA unexpected behavior

问题描述

我创建了一个条件访问策略，该条件访问策略在使用浏览器访问我的服务时强制MFA，因为我们正在测试，因此我想从适用的应用程序中排除Azure管理门户，以确保能够访问门户.

• 设置:
• 名称:通过MFA访问浏览器
• 工作分配:
• 用户和组:包括所有用户，但不包括故障安全帐户的特定组
• 云应用:所有云应用，不包括Microsoft Azure管理
• 条件:
• 位置:任何位置，不包括所有受信任位置
• 客户端应用(预览版):浏览器
• 访问控制:
• 授予:授予访问权限\需要多因素身份验证

启用此条件访问策略并登录到Azure管理门户时，我收到以下错误: 

门户在获取身份验证令牌时遇到问题.所提供的体验可能会下降.调用以获取令牌的其他信息:扩展名:fx资源:图详细信息:AADSTS50076:由于管理员对配置进行了更改， 或因为您已移至新位置，所以必须使用多因素身份验证来访问"00000002-0000-0000-c000-000000000000".跟踪ID:f3b74d60-05f7-45a8-9035-8fbffa1d2900相关ID:f6338c63-d5f6-4e8c-b030-7a06e7ea46ae时间戳:2019-01-23 13:21:38Z

在门户网站中工作是不可行的，因为只有部分内容有效. 

如果我从排除列表中删除了Azure管理门户，那么一切似乎都可以按预期工作，因此按预期使用浏览器时会要求我提供MFA.

我希望有人能说明我的配置错误，看来Microsoft Azure管理云应用程序无法在此特定的条件访问策略中按预期方式运行.

如果工具没有带来任何问题怎么办在对该策略进行测试时...

希望有人可以提供帮助，

/肯尼思

解决方案

1.以全球租户管理员身份登录https://portal.azure.com
2.打开应用程序注册
3.转到设置"，然后必需的权限"
4.按授予权限"按钮

也请参阅疑难解答指南https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/troubleshooting-mfa

Hi,

I've created a conditional access policy which forces MFA when my services are accessed using a browser, since we are testing I wanted to exclude the Azure management portal from the applications applicable in order to be sure to be able to access the portal. 

• Settings:
• Name: Browser Access via MFA
• Assignments:
• Users and Groups: All users included, and specific group for fail safe accounts excluded
• Cloud apps: All Cloud Apps, Microsoft Azure Management excluded
• Conditions: 
• Locations: Any location, all trusted locations excluded
• Client apps (preview): Browser
• Access Controls:
• Grant: Grant access\Require multi-factor authentication

When I enable this Conditional Access policy and logon to the Azure Management Portal I'm receiving errors like: 

The portal is having issues getting an authentication token. The experience rendered may be degraded. Additional information from the call to get a token: Extension: fx Resource: graph Details: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'. Trace ID: f3b74d60-05f7-45a8-9035-8fbffa1d2900 Correlation ID: f6338c63-d5f6-4e8c-b030-7a06e7ea46ae Timestamp: 2019-01-23 13:21:38Z

Working in the portal is not doable, since only partial stuff works. 

If i remove the Azure Management Portal from the exclusion list, all seems to work as expected, I'm being asked for MFA when using the browser as expected.

I hope someone can shed a light on what I'm configuring wrong, it seems that the Microsoft Azure Management cloud app doesn't work as expected in this specific Conditional Access policy. 

What if tooling doesn't give any issues b.t.w. when testing the policy against that... 

Hope someone can help,

/Kenneth

解决方案

This error is usually directly related to conditional access. Please try the following:

1. Login as a global tenant admin to https://portal.azure.com
2. Open the app registration
3. Go to Settings then "Required Permissions"
4. Press the Grant Permissions button

See the troubleshooting guide as well https://github.com/AzureAD/azure-activedirectory-library-for-dotnet/wiki/troubleshooting-mfa

这篇关于有条件的访问:通过MFA发生的意外浏览器访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！